CVE-2022-44036

Published: Jan 3, 2023Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

In b2evolution 7.2.5, if configured with admins_can_manipulate_sensitive_files, arbitrary file upload is allowed for admins, leading to command execution. NOTE: the vendor's position is that this is "very obviously a feature not an issue and if you don't like that feature it is very obvious how to disable it."

Affected (1)

Products: B2evolution: B2evolution Cms

1 product

B2evolution Cms

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
B2evolution B2evolution Cms	Version 7.2.5

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://github.com/b2evolution/b2evolution/issues/121

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://github.com/b2evolution/b2evolution/issues/121

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

Timeline

No history available yet.